Managing data through its lifecycle depends on a set of foundational processes that enable the ongoing use and enhancement of data. These include protecting data from unauthorized use, managing Metadata (the knowledge required to understand and use data), and managing the quality of data. As noted earlier, foundational activities must be accounted for as part of planning and design and they must be carried out operationally. These activities are also supported by and integral to the success of governance structures (see Figure 1).
This chapter will discuss data protection and security. Data Security includes the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.
Data security goals
The specifics of data security (which data needs to be protected, for example) differ between industries and countries. But the goal of data security practices is the same: to protect information assets in alignment with privacy and confidentiality regulations, contractual agreements, and business requirements. These requirements come from:
Effective data security policies and procedures allow the right people to use and update data in the right way, and restrict all inappropriate access and updates (see Figure 24).40
Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best interest of every organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.
The goals of data security activities include:
Data security principles
Because specific requirements change over time and differ between places, data security practices should follow guiding principles, including:
Risk reduction and business growth are the primary drivers of data security activities. Ensuring that an organization’s data is secure reduces risk and adds competitive advantage. Security itself is a valuable asset. There is also an ethical imperative to protect data (see Chapter 4).
Data security risks are associated with reputation, regulatory compliance, fiduciary responsibility for the enterprise and stockholders, and a legal and moral responsibility to protect the private and sensitive information of employees, business partners, and customers. Data breaches can cause a loss of reputation and customer confidence. Organizations can be fined for failure to comply with regulations and contractual obligations. Data security issues, breaches, and unwarranted restrictions on employee access to data can directly impact operational success.
Business growth includes attaining and sustaining operational business goals. Globally, electronic technology is pervasive in the office, marketplace, and home. Desktop and laptop computers, smart phones, tablets, and other devices are important elements of most business and government operations. The explosive growth of e-commerce has changed how organizations offer goods and services. In their personal lives, individuals have become accustomed to conducting business online with goods providers, medical agencies, utilities, governmental offices, and financial institutions. Trusted e-commerce drives profit and growth. Product and service quality relate to information security in a quite direct fashion: robust information security enables transactions and builds customer confidence.
The goals of mitigating risks and growing the business can be complementary and mutually supportive if they are integrated into a coherent strategy of information management and protection.
Data security and enterprise data management
As data regulations increase — usually in response to data thefts and breaches — so do compliance requirements. Security organizations are often tasked with managing not only IT compliance requirements, but also policies, practices, data classifications, and access authorization rules across the organization.
As with other aspects of data management, it is best to address data security as an enterprise initiative, and to do so across the data lifecycle (see Figure 25). Without a coordinated effort, business units will find different solutions to security needs, increasing overall cost while potentially reducing security due to inconsistent protection. Ineffective security architecture or processes can cost organizations through breaches and lost productivity. An operational security strategy that is properly funded, systems-oriented, and consistent across the enterprise will reduce these risks.
Data and information security begin by assessing the current state of an organization’s data in order to identify which data requires protection. The process includes the following steps:
In addition to classifying the data itself, it is necessary to assess external threats, such as those from hackers and criminals, and internal risks posed by employees and processes. Much data is lost or exposed through the ignorance of employees who did not realize that the information was highly sensitive or who bypassed security policies. The customer sales data left on a web server that is hacked, the employee database downloaded onto a contractor’s laptop that is subsequently stolen, and trade secrets left unencrypted in an executive’s computer which goes missing, all result from missing or unenforced security controls.
The impact of security breaches on well-established brands in recent years has resulted in huge financial losses and a drop in customer trust. Not only are the external threats from the criminal hacking community becoming more sophisticated and targeted, the amount of damage done by external and internal threats, intentional or unintentional, has also been steadily increasing over the years.41
Data security metadata
One approach to managing sensitive data is via Metadata. Security classifications and regulatory sensitivity can be captured at the data element and data set level. Technology exists to tag data so that Metadata travel with the information as it flows across the enterprise. Developing a master repository of data characteristics means all parts of the enterprise can know precisely what level of protection sensitive information requires.
If a common standard is enforced, this approach enables multiple departments, business units, and vendors to use the same Metadata. Standard security Metadata can optimize data protection and guide business usage and technical support processes, leading to lower costs. This layer of information security can help prevent unauthorized access to and misuse of data assets.
When sensitive data is correctly identified as such, organizations build trust with their customers and partners. Security-related Metadata itself becomes a strategic asset, increasing the quality of transactions, reporting, and business analysis, while reducing the cost of protection and associated risks that lost or stolen information cause.
Data Classification is a prerequisite to managing data security. Two concepts drive security restrictions:
The main difference between confidential and regulatory restrictions is where the restriction originates: confidentiality restrictions originate internally, while regulatory restrictions are externally-defined.
Another difference is that any data set, such as a document or a database view, can only have one confidentiality level. This level is established based on the most sensitive (and highest classified) item in the data set. Regulatory categorizations, however, are additive. A single data set may have data restricted based on multiple regulatory categories. To assure regulatory compliance, enforce all actions required for each category, along with the confidentiality requirements.
When applied to the user entitlement (the aggregation of the particular data elements to which a user authorization provides access), all protection policies must be followed, regardless of whether they originated internally or externally.
Data security architecture
Enterprise architecture defines the information assets and components of an enterprise, their interrelationships, and business rules regarding transformation, principles, and guidelines. Data Security architecture is the component of enterprise architecture that describes how data security is implemented within the enterprise to satisfy the business rules and external regulations. Architecture influences:
Security architecture is particularly important for the integration of data between:
For example, an architectural pattern of a service-oriented integration mechanism between internal and external parties would call for a data security implementation different from traditional electronic data interchange (EDI) integration architecture.
For a large enterprise, the formal liaison function between these disciplines is essential to protecting information from misuse, theft, exposure, and loss. Each party must be aware of elements that concern the others, so they can speak a common language and work toward shared goals.
Planning for data security
Planning for security includes process planning as well as data classification and architectural planning. It includes security not only of systems, but also of facilities, devices, and credentials. Implementing good practices starts with identifying requirements. These are based largely on regulations for particular industries and geographies. It is important to ensure an organization can meet requirements that may be driven by those with whom it interacts; for example, the European Union has stricter privacy requirements than does the United States. Requirements will also be based on risks connected with the system landscape of the organization itself.
Requirements should be formalized into enterprise-wide policies and supported by clear standards for things like classification levels. Policies and standards need to be maintained as regulations evolve. Staff will require ongoing training, and data access and system usage will need to be monitored to ensure compliance.
Corporate culture deeply influences how we keep data secure. Organizations often end up reacting to crises, rather than proactively managing accountability and ensuring auditability. While perfect data security is next to impossible, the best way to avoid data security breaches is to build awareness and understanding of security requirements, policies, and procedures. Organizations can increase compliance through:
What you need to know